Flux Operator Helm Chart
Artifact Hubflux-operator
Install from GitHub
helm upgrade -i flux-operator \
oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \
--namespace flux-system \
--create-namespace \
--wait
Install from Quay
helm upgrade -i flux-operator \
oci://quay.io/fluxoperatordev/charts/flux-operator \
--set image.repository=quay.io/fluxoperatordev/flux-operator \
--namespace flux-system \
--create-namespace \
--wait
Values
# Default values for flux-operator.
nameOverride: ""
fullnameOverride: ""
# -- Enable [multitenancy lockdown](/docs/crd/resourceset/#role-based-access-control) for the ResourceSet APIs.
multitenancy:
enabled: false
enabledForWorkloadIdentity: false
defaultServiceAccount: "flux-operator" # @schema required: true
defaultWorkloadIdentityServiceAccount: "flux-operator" # @schema required: true
# -- Flux [reporting](/docs/crd/fluxreport/) settings.
reporting:
interval: 5m # @schema required: true
web:
# -- Enable the [Flux Status web server](/web-ui/) on port 9080.
enabled: true
# -- The spec of the [Web Config API](/docs/web-ui/web-config-api/)
config: { } # @schema type: object
# -- Reference to an existing Secret in the same namespace as the deployment containing the Web Config API. Should have the key `config.yaml`.
configSecretName: "" # @schema default: ""
# -- GitOps actions configuration for the web UI.
userActions:
# -- Access mode for GitOps actions. When set to `FineGrained`, actions are performed using the web server's own privileges instead of impersonating the user, and the web ClusterRole is extended with the native Kubernetes permissions required by the actions (only effective in `web.serverOnly` mode; otherwise the operator already runs as cluster-admin). Either `Impersonated` (default) or `FineGrained`.
access: Impersonated # @schema enum:["Impersonated", "FineGrained"]; default: "Impersonated"
# -- Create a NetworkPolicy to allow access to the Flux Status web interface.
networkPolicy:
create: true
# -- Create standard roles for [user access management](/docs/web-ui/user-management/).
rbac:
createRoles: true # @schema default: true
createAggregation: false # @schema default: false
# -- Run the Flux Status web server as a standalone deployment (requires a dedicated Helm release).
serverOnly: false
# -- Number of replicas for the Flux Status web server standalone deployment (only applicable if `web.serverOnly` is `true`).
serverReplicas: 1 # @schema default: 1
# -- Ingress settings for the Flux Status web interface.
ingress: # @schema default: {"enabled":false,"className":"","annotations":{}}
enabled: false # @schema default: false
className: ""
annotations: { } # @schema type: object
hosts: [ ] # @schema item: object ; uniqueItems: true
# - host: flux-operator.example.com
# paths:
# - path: /
# pathType: ImplementationSpecific
tls: [ ] # @schema item: object ; uniqueItems: true
# - secretName: flux-operator-tls
# hosts:
# - flux-operator.example.com
# -- Gateway API HTTPRoute settings for the Flux Status web interface.
httpRoute: # @schema default: {"enabled":false,"annotations":{},"parentRefs":[],"hostnames":[]}
enabled: false # @schema default: false
annotations: { } # @schema type: object
parentRefs: [ ] # @schema item: object ; uniqueItems: true
# - name: my-gateway
# namespace: gateway-system
# sectionName: https
hostnames: [ ] # @schema item: string ; uniqueItems: true
# - flux.example.com
# -- Install and upgrade the custom resource definitions.
installCRDs: true # @schema default: true
# -- Common annotations to add to all deployed objects including pods.
commonAnnotations: { }
# -- Common labels to add to all deployed objects including pods.
commonLabels: { }
# -- Container image settings.
# The image tag defaults to the chart appVersion.
image:
repository: ghcr.io/controlplaneio-fluxcd/flux-operator # @schema required: true
tag: ""
pullSecrets: [ ] # @schema item: object ; uniqueItems: true
imagePullPolicy: IfNotPresent # @schema enum:[IfNotPresent, Always, Never]
# -- Pod priority class name.
# Recommended value is system-cluster-critical.
priorityClassName: "" # @schema default: "system-cluster-critical"
# -- Kubernetes <a href="https://kubernetes.io/docs/concepts/cluster-administration/flow-control/" target="_blank" rel="noopener noreferrer">API priority and fairness</a> settings.
apiPriority: # @schema default: {"enabled":false,"level":"workload-high","extraServiceAccounts":[]}
enabled: false
level: workload-high
extraServiceAccounts: []
# - name: kustomize-controller
# namespace: flux-system
# - name: helm-controller
# namespace: flux-system
# -- Container resources requests and limits settings.
resources: # @schema required: true
limits:
cpu: 2000m
memory: 1Gi
requests: # @schema default: {"cpu":"100m","memory":"64Mi"}
cpu: 100m
memory: 64Mi
# -- Container liveness probe settings.
livenessProbe: # @schema default: {"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20}
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
# -- Container readiness probe settings.
readinessProbe: # @schema default: {"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10}
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
# -- Pod service account settings.
# The name of the service account defaults to the release name.
serviceAccount: # @schema default: {"create":true,"automount":true,"name":""}
create: true
automount: true
name: ""
rbac:
# -- Grant the cluster-admin role to the flux-operator service account (required for the Flux Instance deployment).
create: true
# -- Grant the Kubernetes view, edit and admin roles access to ResourceSet APIs.
createAggregation: true
# -- Pod security context settings.
podSecurityContext: { } # @schema default: {"fsGroup":1337}
# -- Container security context settings.
# The default is compliant with the pod security restricted profile.
securityContext: # @schema required: true
runAsNonRoot: true # @schema default: true
readOnlyRootFilesystem: true # @schema default: true
allowPrivilegeEscalation: false # @schema default: false
capabilities: # @schema default: {"drop":["ALL"]}
drop: # @schema item: string ; uniqueItems: true
- "ALL"
seccompProfile: # @schema default: {"type":"RuntimeDefault"}
type: "RuntimeDefault"
# -- Pod affinity and anti-affinity settings.
affinity: # @schema default: {"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
# -- Pod tolerations settings.
tolerations: [ ] # @schema item: object ; uniqueItems: true
# -- Pod Node Selector settings.
nodeSelector: { } # @schema type: object
# -- If `true`, the container ports (`8080` and `8081`) are exposed on the host network.
hostNetwork: false # @schema default: false
# -- Pod extra volumes.
extraVolumes: [ ] # @schema item: object ; uniqueItems: true
# -- Container extra environment variables.
extraEnvs: [ ] # @schema item: object ; uniqueItems: true
# -- Container extra arguments.
extraArgs: [ ] # @schema item: string ; uniqueItems: true
# -- Container extra volume mounts.
extraVolumeMounts: [ ] # @schema item: object ; uniqueItems: true
# -- Container logging level flag.
logLevel: "info" # @schema enum:[debug,info,error]
# -- Prometheus Operator scraping settings.
serviceMonitor: # @schema default: {"create":false,"interval":"60s","scrapeTimeout":"30s"}
create: false
interval: 60s
scrapeTimeout: 30s
labels: { }
service:
# -- Sets the IP family policy on all Service resources. Uses Kubernetes defaults if unset
ipFamilyPolicy: '' # @schema type: string; enum:['', SingleStack, PreferDualStack, RequireDualStack]
# -- Marketplace settings.
marketplace:
type: ""
license: ""
account: ""